top of page
  • Clipeus

"Leaky Vessels" Vulnerabilities and "Commando Cat"

The Docker threat landscape underwent relevant developments; while new vulnerabilities were discovered, an unknown threat actor has been observing abusing Docker containers in order to deploy a number of payloads. The latter has been dubbed "Commando Cat."

On January 31, 2024, Snyk reported a set of vulnerabilities - cumulatively dubbed "Leaky Vessels" - impacting the runC utility which is used to deploy and operate containers in Linux. The vulnerabilities may enable a potential attacker to bypass the container and gain unauthorized access to the underlying host with subsequent data compromise.

The vulnerabilities include:

  • CVE-2024-21626 (CVSS score: 8.6) - runC process.cwd and leaked fds container breakout.

  • CVE-2024-23651 (CVSS score: 8.7) - Build-time race condition container breakout.

  • CVE-2024-23652 (CVSS score: 10.0) - Buildkit Build-time Container Teardown Arbitrary Delete.

  • CVE-2024-23653 (CVSS score: 9.8) - GRPC security mode privilege check: Build-time container breakout.

Patched runC versions have been released for Google Cloud Platform (GCP), Ubuntu, Amazon Web Services (AWS). Docker released a new version of buildkit and moby. Similarly, a new containerd version that addresses the issues was released on January 31, 2024.

Regarding "Commando Cat" (from the pull command - "cmd[.]cat/chattr" - performed during the attack chain), the threat was discovered by Cado, and reported in an advisory published on February 1, 2024. The malware targets internet-exposed Docker API instances. The originating IP address observed in attacks in the wild is 45[.]9[.]148[.]193 - consistent with infrastructure hosted in the Netherlands.

Commando Cat has been observed performing cryptomining activities and installing an information stealer which targets cloud service credentials, namely AWS, GCP, Azure.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page